Malware Analysis Report

2025-03-14 23:43

Sample ID 240407-xjhpcabd9y
Target e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118
SHA256 b96d522bea3052c97ad8f81593b13ea80c398e1bf8d18ff7c7f8f1e7a3cf8216
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b96d522bea3052c97ad8f81593b13ea80c398e1bf8d18ff7c7f8f1e7a3cf8216

Threat Level: Shows suspicious behavior

The file e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:52

Reported

2024-04-07 18:55

Platform

win7-20240221-en

Max time kernel

142s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2636 set thread context of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1904 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 1904 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 1904 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 1904 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2636 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2636 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2636 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2636 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2636 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2636 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sunray1975.zapto.org udp

Files

memory/1904-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1904-1-0x0000000000400000-0x0000000000601000-memory.dmp

\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 bc0c7737b669fbd5a4d9172b619542ef
SHA1 fea6e92d10c19805dd8c0c3f147a0d3f2b520824
SHA256 2418b31495ce0cc9be2d4fb41462741422865fc18a5dc1e53c449c05b7eb2062
SHA512 120d6e72c08b79f203f9c3724554a43790e1ad90b9d7dcfc0befa4e8d64c311ad82abc1d237b1a22af702362ff7836453ceed34cec855ae4d947519cd188f622

memory/1904-12-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2636-13-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/2616-22-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1904-21-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1904-20-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2616-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2636-41-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2616-42-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/2636-43-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2256-45-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2256-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2256-49-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2636-51-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2256-52-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2256-53-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2256-57-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2616-56-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2256-55-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2256-59-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2256-62-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:52

Reported

2024-04-07 18:55

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4848 set thread context of 3484 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2032 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2032 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2032 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2032 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2032 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 4848 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 4848 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 4848 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 4848 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 4848 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59ee68273fd99db955a2647b9d4ed93_JaffaCakes118.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp

Files

memory/2032-0-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2032-1-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 26a28bfdefe27b3e50bb727b8a1b03fa
SHA1 40baae30eff4a0cc7284e06cc0e92ee8d38071a4
SHA256 3f05b6c715db6585c13d6ab98b762d146e9abcd6d80b785daaa2e462105364c4
SHA512 301c8c4fc78be23e571850828b407479d7a84617b7e0b05606ec45fb9f7b78511f540fcdecdf16bb7d02d58c72b8e0861dc035ba4a4db62e27f804056a472765

memory/2032-11-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4848-12-0x0000000002480000-0x0000000002481000-memory.dmp

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/2032-23-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2072-25-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/2072-28-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/4848-29-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2072-30-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/4848-31-0x0000000000400000-0x0000000000601000-memory.dmp

memory/3484-32-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/3484-34-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4848-35-0x0000000000400000-0x0000000000601000-memory.dmp

memory/3484-36-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/3484-40-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/3484-39-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2072-38-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/3484-42-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/3484-45-0x00000000005A0000-0x00000000005A1000-memory.dmp